opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-17 03:04:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add (podman {image,manifest} push --sign-by-sigstore=param-file.yaml)

Browse Source 
(podman push) and (podman manifest push) now support --sign-by-sigstore=param-file,
using the containers-sigstore-signing-params.yaml(5) file format.

That notably adds support for Fulcio and Rekor signing.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This commit is contained in:
Miloslav Trmač
2023-01-12 00:14:42 +01:00
parent 356f7b6c9d
commit 069edc3adf
287 changed files with 61247 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
test/e2e/push_test.go
View File

@ -149,7 +149,7 @@ var _ = Describe("Podman push", func() {
}
if !IsRemote() { // Remote does not support signing
By("pushing and pulling with sigstore signatures")
By("pushing and pulling with --sign-by-sigstore-private-key")
// Ideally, this should set SystemContext.RegistriesDirPath, but Podman currently doesnt
// expose that as an option. So, for now, modify /etc/directly, and skip testing sigstore if
// we dont have permission to do so.
@ -187,6 +187,28 @@ var _ = Describe("Podman push", func() {
pull = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", policyPath, "localhost:5000/sigstore-signed"})
pull.WaitWithDefaultTimeout()
Expect(pull).Should(Exit(0))
By("pushing and pulling with --sign-by-sigstore")
// Verify that the policy rejects unsigned images
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/sigstore-signed-params"})
push.WaitWithDefaultTimeout()
Expect(push).Should(Exit(0))
Expect(push.ErrorToString()).To(BeEmpty())
pull = podmanTest.Podman([]string{"pull", "--tls-verify=false", "--signature-policy", policyPath, "localhost:5000/sigstore-signed-params"})
pull.WaitWithDefaultTimeout()
Expect(pull).To(ExitWithError())
Expect(pull.ErrorToString()).To(ContainSubstring("A signature was required, but no signature exists"))
// Sign an image, and verify it is accepted.
push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", "--sign-by-sigstore", "testdata/sigstore-signing-params.yaml", ALPINE, "localhost:5000/sigstore-signed-params"})
push.WaitWithDefaultTimeout()
Expect(push).Should(Exit(0))
Expect(push.ErrorToString()).To(BeEmpty())
pull = podmanTest.Podman([]string{"pull", "--tls-verify=false", "--signature-policy", policyPath, "localhost:5000/sigstore-signed-params"})
pull.WaitWithDefaultTimeout()
Expect(pull).Should(Exit(0))
}
}
})